Sectigo CA Connector

Overview

Sectigo Certificate Manager (SCM) supports Certificate Authority (CA) agnostic certificate lifecycle management through the Sectigo CA Connector (CA Connector). With the CA Connector, you can easily integrate with SCM to manage certificates issued by Microsoft CA or AWS Certificate Manager (ACM).

The components of the Sectigo CA agnostic solution are as follows:

  • SCM

  • CA Connector

  • Third-party CA

CA Connector Architecture

Supported Certificate Types

The supported certificate types vary by CA. The following table shows which certificate types are supported by each CA.

CA Type Private SSL DV SSL OV SSL EV SSL Client Cert Device Cert Code Signing Cert

Microsoft (Private)

Yes

No

No

No

Yes

Yes

Yes

ACM

Yes

No

No

No

No

No

No

Prerequisites

  • An SCM account and MRAO administrator permissions

  • Administrator permissions for the CA

  • Microsoft Windows Server 2016, 2019, or 2022 (64-bit) and local admin permissions to install the CA Connector

CA Requirements

In addition to the general prerequisites, there are additional requirements that must be met depending on which CA you are using.

  • Microsoft CA

  • ACM

The following requirements must be met before using the CA Connector with the Microsoft CA:

  • You have installed Active Directory and configured the Certificate Services role as an Enterprise CA.

  • An Enrollment Agent (Computer) template or its duplicate with read and enroll permissions has been added to the CA.

    MS Template Permissions
  • You have granted Manage CA and Issue and Manage Certificates permissions on the CA for the CA Connector’s machine account.

The following requirements must be met before using the CA Connector with ACM:

  • You have an active AWS account.

  • You have configured an AWS user to represent the CA Connector.

Install the CA Connector

  1. Log in to SCM.

  2. From the left-hand menu, select Integrations  CA Connectors.

  3. In the top right corner of the page, click Download Connector.

  4. Save the token displayed in the popup window for use during the installation process.

    If your installation fails, subsequent attempts require the use of a new registration token.
  5. (Optional) If required, move the SectigoCBCS.msi file to the CA Connector machine.

  6. Right-click SectigoCBCS.msi and click Install.

    Alternatively, you can install the CA Connector from the command line by using:

    msiexec.exe/i SectigoCBS.msi TOKEN=<Registration token>

  7. In the setup wizard, click Next.

    Install Connector
  8. Read and accept the license agreement.

  9. Click Next.

  10. Select the destination folder where the CA Connector will be installed.

    If no destination folder is selected, the CA Connector and library will be installed in C:\Program Files\Sectigo Limited\SectigoCBCS.
  11. Paste the registration token that you saved during the connector download.

  12. Click Next.

  13. In the Proxy Settings window, select Direct Internet connection (no proxy), or select Manual proxy configuration and enter your configuration details based on the information provided in the following table.

    Field Description

    Address

    The IP address or the DNS name of the proxy server

    Port

    The listening port of the proxy server

    Username

    The username used to connect to the proxy server

    Password

    The password used to connect to the proxy server

    Proxy settings
    Click Test Connection to confirm your connection.
  14. Click Install.

  15. Click Yes to allow the installation to complete on the server.

  16. Click Finish.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoCBCS.

Confirm that the CA Connector is running by opening the run application on your computer and entering services.msc. Once the services window is open, you should see the CA Connector in the list of running applications.

The CA Connector status can be viewed on the Integrations  CA Connectors page.

Configure the CA Connector

Each CA has specific configuration instructions that must be completed once the CA Connector is installed.

  • Microsoft CA

  • ACM

  1. In a command prompt window, navigate to the directory where the CA Connector is installed.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type msca -server <server> -ca <ca_common_name>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend

    type

    The type of CA that is being connected to.

    For MS CA the value must be msca.

    server

    The hostname of the server hosting the Microsoft CA

    ca

    The CA’s Common Name

    Sample command
    sectigo-cbcs.exe backend add -name MSCA1 -type msca -server SectigoTestCA -ca local-SectigoTestCA-CA
  3. Generate the Enrollment Agent (EA) key pair and enroll the Enrollment Agent Certificate.

    C:\Program Files\Sectigo Limited\SectigoCBCS>sectigo-cbcs.exe backend msca enroll-agent-cert -name <backend_name> -ca <ca_common_name>
    You can specify an alternative EA template by adding the -template <your_ea_name> option.
  1. In a command prompt window, navigate to the directory where the CA Connector is installed.

  2. Create a new backend.

    sectigo-cbcs.exe backend add -name <backend_name> -type acmpca -accesskeyid <key_id> -secretaccesskey <secret_access_key> -region <region>

    The command options are outlined in the following table.

    Option Description

    name

    The name used to represent the CA backend

    type

    The type of CA that is being connected to.

    For ACM the value must be acmpca.

    accesskeyid

    The AWS access key ID generated when adding a user to AWS

    secretaccesskey

    The AWS secret access key ID generated when adding a user to AWS

    region

    The region specified during CA creation.

    Sample command
    sectigo-cbcs.exe backend add -name test-acmpca -type acmpca -accesskeyid <key id> -secretaccesskey <secret_access_key> -region us-east-1

Configuring CA backends

Create third-party CA backends

  1. Log in to SCM as a MRAO admin.

  2. Navigate to Issuers  CA Backends and click Add.

    SCM home page
  3. Add the information for your third-party CA using the information from the following table.

    Field Description

    Backend Type

    The third-party CA you are using

    Name

    The name of the CA backend in SCM

    Connector

    The CA Connector to be used

    Local CA Backend

    The name specified during backend creation to represent the CA backend

  4. Click Save.

    The new CA backend is now displayed on the CA Backends page in SCM.

Create certificate profiles

  1. Log in to SCM as a MRAO admin.

  2. Navigate to Enrollment  Certificate Profiles and click Add.

    SCM home page
  3. Complete the Add Certificate Profiles form using the information provided in the following table.

    • Microsoft CA

    • ACM

    Field Description

    CA Backend

    The name of the CA backend in SCM

    Certificate Type

    The type of certificate that can be issued using this certificate profile (Client, SSL, Code Signing, or Device Certificate).

    The supported certificate types are determined by the CA backend.

    Certificate Template

    The template that controls the certificate policies as set by Sectigo.

    For MSCA and ACM the selection will usually be None.

    Trust Level

    Indicates if the certificates issued using this certificate profile are publicly trusted. If publicly trusted, organizations and domains must be validated to issue certificates using this certificate profile.

    Name

    The name of the certificate profile

    Description

    A description of the profile

    Issuing CA

    The CA’s Common Name

    MS Template

    The template assigned to the CA in AD.

    All MS templates must grant read and enroll access to the CA Connector in order to function correctly.

    Build Subject from AD information

    When selected, Active Directory information is used for the subject, otherwise it’s built from the request.

    In order to work, the selected template must have the following Issuance Requirement tab settings configured:

    • The This number of authorized signatures field selected and set as 1

    • The Application policy set as Certificate Request Agent

    Term

    The validity period of certificates issued using the specified certificate profile

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

    Field Description

    CA Backend

    The name of the CA backend in SCM

    Certificate Type

    The type of certificate that can be issued using this certificate profile (Client, SSL, Code Signing, or Device Certificate).

    The supported certificate types are determined by the CA backend.

    Certificate Template

    The template that controls the certificate policies as set by Sectigo.

    For MSCA and ACM the selection will usually be None.

    Trust Level

    Indicates if the certificates issued using this certificate profile are publicly trusted. If publicly trusted, organizations and domains must be validated to issue certificates using this certificate profile.

    Name

    The name of the certificate profile

    Description

    A description of the profile

    AWS Private CA

    The name of the AWS private CA

    Signature Algorithm

    The signature algorithm to be used when signing certificates

    AWS Template

    The template assigned to the CA in ACM

    Term

    The validity period of certificates issued using the specified certificate profile

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

  4. Click Save.

    Your new certificate profile is now displayed on the Certificates Profile page.